Zeek Kerberos Analyzer Null Pointer Dereference Vulnerability
Zeek before 8.0.9 contains a null pointer dereference vulnerability in its Kerberos protocol analyzer that allows unauthenticated remote attackers to crash the sensor by sending a crafted KRB_ERROR message with error-code 25 (KDC_ERR_PREAUTH_REQUIRED) containing a PA-DATA element with padata-type 2, 3, 11, or 19. Attackers can exploit a parser and analyzer state mismatch where proc_padata() dereferences an uninitialized pa_data_element field selected by the wrong parsing arm, triggering a crash via a single UDP or TCP packet to port 88 without any credentials or prior authentication.
Quick answer
Zeek should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- Zeek before 8.0.9
Fixed versions
- 8.0.9
How to fix it
Zeek before 8.0.9 is affected by a Kerberos analyzer null pointer dereference that can let unauthenticated attackers crash the sensor with crafted Kerberos traffic. Upgrade Zeek to 8.0.9 or later and monitor Kerberos analyzer stability. Prioritize sensors observing untrusted or high-volume Kerberos traffic.
- Inventory Zeek sensors, package versions, container images, and appliances running the Kerberos analyzer.
- Upgrade Zeek to 8.0.9 or later across affected sensors.
- Restart Zeek workers and verify the patched binaries are active on all nodes.
- Restrict or filter untrusted Kerberos traffic to vulnerable sensors until upgrades are complete where operationally safe.
- Review crash logs, Zeek reporter logs, and packet captures for crafted KRB_ERROR messages with suspicious PA-DATA elements.
- Tune monitoring to alert on repeated Zeek worker crashes or Kerberos analyzer failures.
- Back up Zeek configuration and redeploy from trusted packages if sensors were unstable during exploitation attempts.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm all sensors report Zeek 8.0.9 or later.
- Validate crafted Kerberos error traffic no longer crashes the Kerberos analyzer in a safe test environment.
- Review Zeek logs for crash patterns before and after the upgrade.
- Test normal Kerberos logging and detection workflows after remediation.
- Run a Fixnx scan and confirm public monitoring or sensor administration interfaces are not exposed.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-60109?
Zeek versions listed as affected should be reviewed: Zeek before 8.0.9.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
Why can this risk appear in multiple categories?
A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.
